House Republicans want to drastically change a federal privacy bill that Democrats in the Senate are also threatening to murder. The American Data Privacy and Protection Act (ADPPA) is one of the few pieces of privacy legislation to get the time of day on Capitol Hill in the last few years—even if looks now like it’s being blindfolded and handed a last cigarette.
Subcommittee members in the House advanced the bill on Thursday with a unanimous vote, even though a couple of Republicans decided a few last minute changes were needed. Those proposals were ultimately tabled but hinted that the Republicans were potential deal-breaking votes down the line. ADPPA is now headed for a full vote by the Energy and Commerce Committee next month, and could see the House floor before August. If it passes there, though, it faces at least one powerful Senate Democrat who has made it known she’ll let it die on the vine.
Almost a half decade has passed since one of America’s largest credit reporting agencies lost control over 145 million people’s sensitive data. Even the most bloodied IT professionals, people who are fully aware of the preposterous amounts of data stolen and leaked each day, were sobered by the scale and magnitude of that breach. Just about anyone who’d heard anything about Equifax wanted to see the company strung up by its thumbs. And squandering all that juice, Congress did something entirely predictable: nothing.
Multiple comprehensive privacy bills have been introduced in the interim, and precisely zero of them have been put to a vote. The ADPPA represents the latest of these efforts. It is principally aimed at curtailing (somewhat) the sheer volume of personal information being amassed by tech companies, describing any data not “reasonably necessary” to provide a service as something that should go uncollected. It creates an opt-in requirement before companies are allowed to share sensitive data with third parties, which is something privacy hawks have been after for decades, and includes a number of provisions aimed at protecting kids online. It also says users have the right to access, correct, and delete the information collected about them.
My colleague, Shoshana Wodinsky, who’s an expert in corporate data policies, was unimpressed the bill when she reported on it two weeks ago. It contained what she described as a number of “large loopholes” ripe for abuse by “bad bosses and law enforcement officials,” adding that data brokers would be free to “continue buying and selling vast amounts of our personal data with impunity.”
That doesn’t sound great, but I’m of the opinion that the bar for most Americans when it comes to privacy protections is so low that even a mildly ineffective bill would likely improve society somewhat.
The ADPPA faced a markup session Thursday, which saw Republicans seek several changes. Firstly, ADPPA requires that large data holders that rely on algorithms in certain ways—think Meta or Google—divulge details annually about their methods and uses for such tools. This includes describing what the company is doing to combat harms to users related to “protected characteristics,” which include by name, “race, color, religion, national origin, sex, or disability.” One of the changes sought, introduced by Rep. Debbie Lesko of Arizona, would be to also include “political viewpoints” on this list.
Lesko is oddly specific about the placement. Instead of just making an addition to end of this sentence, “political viewpoints” needs to be snuggled in, for some reason, right after “religion” but before “national origin, sex, or disability.” The order of the words, in this context, does not confer legal preference, but it does imply different degrees of importance.
Rep. Kelly Armstrong of North Dakota offered up three amendments that he said Republicans could not do without. While framed as burdensome to small business owners, they mirror concerns raised earlier this month by industry groups backing some of tech’s biggest players. This is also an item of contention that’s sunk many previous efforts to pass a privacy law: Tech companies simply do not want people to be able to sue them.
Saying that, really, he’s opposed to any private right of action against companies caught violating the law, Armstrong is demanding instead something that sounds slightly more reasonable—a pretty old trick that is probably going to work. His amendment effectively bans private individuals from suing a tech company for violating their privacy for a period of 60 days, just so the federal government can decide whether to bring its own action. State authorities get the same opportunity next, with the person whose privacy is actually violated falling last in line.
Armstrong also wants to give tech companies something known as a “right to cure,” which is basically a mulligan. It means even if they’re caught breaking the law, they’re granted a certain grace period to stop breaking it, and if they do, it’s like it never happened. Armstrong’s amendment gives companies 45 days to stop breaking the law before any case against them can proceed. That’s a month and a half after the company is told it’s breaking the law—not a month and a half after it actually started breaking it. Combined, these two amendments alone offer tech companies a sturdy shield to fend off any claims that could’ve been brought against them by the people they’ve actually harmed.
Potentially a poison pill, another of Armstrong’s demands is that ADPPA not only override all existing state privacy laws, but prohibit any state from passing laws in the future that might offer greater protections than ADPPA, as several in California already do.
Like every privacy bill before it, ADPPA gets in trouble when it starts using words like “preempt.” One of the main reasons no comprehensive privacy law has been passed so far is that Congress seems incapable of passing one stronger than some existing state laws. Namely, California residents, who enjoy some of the strongest privacy safeguards in the country, don’t want those protections watered down by a federal law full of loopholes.
If ADPPA somehow passes the House next month, it’ll end up in the Senate Commerce Committee, which is chaired by Sen. Maria Cantwell, Democrat of Washington. According to the Washington Post, Cantwell dispelled any doubts that might be lingering on Thursday over whether she likes the bill.
“People who want to get a bill know that you can’t preempt states with a weak federal standard, so hopefully they’ll come back to the table,” she said, referring to ADPPA’s House Republican sponsors.
Cantwell added that Chuck Schumer, the Senate majority leader, had said there’s “no way” ADPPA will ever be brought up.